增加测试用的配置和目录

Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-02 15:51:55 +08:00 · 2024-07-02 15:51:55 +08:00 · 0b84f3c661
commit 0b84f3c661
parent f65a0c3182
4598 changed files with 753404 additions and 0 deletions
--- a/cusas/3/three-eight-nine-ds-base/389-ds-base-1.4.3.20-1_openEuler-SA-2022-2056.json
+++ b/cusas/3/three-eight-nine-ds-base/389-ds-base-1.4.3.20-1_openEuler-SA-2022-2056.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-2056",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2056",
+  "title": "An update for three-eight-nine-ds-base is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.(CVE-2020-35518)",
+  "cves": [
+    {
+      "id": "CVE-2020-35518",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35518",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/3/three-eight-nine-ds-base/389-ds-base-1.4.3.36-5_openEuler-SA-2024-1148.json
+++ b/cusas/3/three-eight-nine-ds-base/389-ds-base-1.4.3.36-5_openEuler-SA-2024-1148.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1148",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1148",
+  "title": "An update for three-eight-nine-ds-base is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "389-ds-base is an LDAPv3 compliant server which includes the LDAP server and command line utilities for server administration.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.(CVE-2024-1062)",
+  "cves": [
+    {
+      "id": "CVE-2024-1062",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1062",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/3/three-eight-nine-ds-base/config.json
+++ b/cusas/3/three-eight-nine-ds-base/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-1_openEuler-SA-2022-1670.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-1_openEuler-SA-2022-1670.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1670",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1670",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo() function of dcm.c file. This vulnerability is triggered when an attacker passes a specially crafted DICOM image file to ImageMagick for conversion, potentially leading to information disclosure and a denial of service.(CVE-2022-1114)",
+  "cves": [
+    {
+      "id": "CVE-2022-1114",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1114",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1896.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1896.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1896",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1896",
+  "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.(CVE-2022-2719)",
+  "cves": [
+    {
+      "id": "CVE-2022-2719",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2719",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1903.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-3_openEuler-SA-2022-1903.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1903",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1903",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel() function of quantum-private.h file. This vulnerability is triggered when an attacker passes a specially crafted TIFF image file to ImageMagick for conversion, potentially leading to a denial of service.(CVE-2022-1115)",
+  "cves": [
+    {
+      "id": "CVE-2022-1115",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1115",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-1998.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-1998.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1998",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1998",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.(CVE-2022-3213)",
+  "cves": [
+    {
+      "id": "CVE-2022-3213",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3213",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-2091.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-4_openEuler-SA-2022-2091.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-2091",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2091",
+  "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, modify, and distribute in both open and proprietary applications. In affected versions and in certain cases, Postscript files could be read and written when specifically excluded by a `module` policy in `policy.xml`. ex. <policy domain=\"module\" rights=\"none\" pattern=\"PS\" />. The issue has been resolved in ImageMagick 7.1.0-7 and in 6.9.12-22. Fortunately, in the wild, few users utilize the `module` policy and instead use the `coder` policy that is also our workaround recommendation: <policy domain=\"coder\" rights=\"none\" pattern=\"{PS,EPI,EPS,EPSF,EPSI}\" />.(CVE-2021-39212)\r\n\r\nA NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not checking the return value from libxml2's xmlCreatePushParserCtxt() and uses the value directly, which leads to a crash and segmentation fault.(CVE-2021-3596)",
+  "cves": [
+    {
+      "id": "CVE-2021-3596",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3596",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-5_openEuler-SA-2022-2109.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-5_openEuler-SA-2022-2109.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-2109",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2109",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nIn ImageMagick, there is load of misaligned address for type 'double', which requires 8 byte alignment and for type 'float', which requires 4 byte alignment at MagickCore/property.c. Whenever crafted or untrusted input is processed by ImageMagick, this causes a negative impact to application availability or other problems related to undefined behavior.(CVE-2022-32547)",
+  "cves": [
+    {
+      "id": "CVE-2022-32547",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32547",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.0.28-6_openEuler-SA-2023-1065.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.0.28-6_openEuler-SA-2023-1065.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1065",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1065",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Important",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR,WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort,shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input.(CVE-2022-44267)\r\n\r\nImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).(CVE-2022-44268)",
+  "cves": [
+    {
+      "id": "CVE-2022-44268",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44268",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1259.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1259.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1259",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1259",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in \"/tmp,\" resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.(CVE-2023-1289)\r\n\r\nA heap-based buffer overflow issue was discovered in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. An attacker could pass specially crafted file to convert, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-1906)",
+  "cves": [
+    {
+      "id": "CVE-2023-1906",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1906",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1332.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-1_openEuler-SA-2023-1332.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1332",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1332",
+  "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap-based buffer overflow vulnerability was found in the ImageMagick package that can lead to the application crashing.(CVE-2023-2157)",
+  "cves": [
+    {
+      "id": "CVE-2023-2157",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2157",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-2_openEuler-SA-2023-1349.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-2_openEuler-SA-2023-1349.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1349",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1349",
+  "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick. This security flaw ouccers as an undefined behaviors of casting double to size_t in svg, mvg and other coders (recurring bugs of CVE-2022-32546).(CVE-2023-34151)\n\nA vulnerability was found in ImageMagick. This security flaw causes a shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding.(CVE-2023-34153)",
+  "cves": [
+    {
+      "id": "CVE-2023-34153",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34153",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-3_openEuler-SA-2023-1407.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-3_openEuler-SA-2023-1407.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1407",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1407",
+  "title": "An update for ImageMagick is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA heap-based buffer overflow issue was discovered in ImageMagick's ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the user in opening specially crafted file, triggering an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34474)\n\nA heap use after free issue was discovered in ImageMagick's ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick user to open a specially crafted file to convert, triggering an heap-use-after-free write error, allowing an application to crash, resulting in a denial of service.(CVE-2023-34475)",
+  "cves": [
+    {
+      "id": "CVE-2023-34475",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34475",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-4_openEuler-SA-2023-1442.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-4_openEuler-SA-2023-1442.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1442",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1442",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects,or draw text, lines, polygons, ellipses and Bézier curves.\n\nSecurity Fix(es):\n\nA vulnerability was found in ImageMagick <=7.1.1, where heap-based buffer overflow was found in coders/tiff.c.\n\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790(CVE-2023-3428)",
+  "cves": [
+    {
+      "id": "CVE-2023-3428",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3428",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/ImageMagick-7.1.1.8-5_openEuler-SA-2023-1733.json
+++ b/cusas/I/ImageMagick/ImageMagick-7.1.1.8-5_openEuler-SA-2023-1733.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1733",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1733",
+  "title": "An update for ImageMagick is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in ImageMagick <=7.1.1, where heap use-after-free was found in coders/bmp.c.\r\n\r\nReferences:\nhttps://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1(CVE-2023-5341)",
+  "cves": [
+    {
+      "id": "CVE-2023-5341",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5341",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/ImageMagick/config.json
+++ b/cusas/I/ImageMagick/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/iSulad/config.json
+++ b/cusas/I/iSulad/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/iSulad/iSulad-2.0.18-13_openEuler-SA-2023-1686.json
+++ b/cusas/I/iSulad/iSulad-2.0.18-13_openEuler-SA-2023-1686.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1686",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686",
+  "title": "An update for iSulad is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Critical",
+  "description": "\r\n\r\nSecurity Fix(es):\r\n\r\nWhen malicious images are pulled by isula pull, attackers can execute arbitrary code.(CVE-2021-33635)\r\n\r\nWhen the isula load command is used to load malicious images, attackers can execute arbitrary code.(CVE-2021-33636)\r\n\r\nWhen the isula export command is used to export a container to an image and the container is controlled by an attacker, the attacker can escape the container.(CVE-2021-33637)\r\n\r\nWhen the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.(CVE-2021-33638)",
+  "cves": [
+    {
+      "id": "CVE-2021-33638",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33638",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/I/iSulad/iSulad-2.0.18-16_openEuler-SA-2024-1287.json
+++ b/cusas/I/iSulad/iSulad-2.0.18-16_openEuler-SA-2024-1287.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1287",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287",
+  "title": "An update for iSulad is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "This is a umbrella project for gRPC-services based Lightweight Container Runtime Daemon, written by C.\r\n\r\nSecurity Fix(es):\r\n\r\n在isulad服务初始化阶段，会进行临时文件的正确性检查，如果检查不通过则重新创建文件，在检查与创建之间，存在一个条件竞争问题，攻击者可以通过利用该漏洞进行提权。(CVE-2021-33632)",
+  "cves": [
+    {
+      "id": "CVE-2021-33632",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33632",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/ibus/config.json
+++ b/cusas/I/ibus/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/icu/config.json
+++ b/cusas/I/icu/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/ignition/config.json
+++ b/cusas/I/ignition/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/indent/config.json
+++ b/cusas/I/indent/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/indent/indent-2.2.11-29_openEuler-SA-2023-1552.json
+++ b/cusas/I/indent/indent-2.2.11-29_openEuler-SA-2023-1552.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1552",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1552",
+  "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nGNU indent 2.2.13 has a heap-based buffer overflow in search_brace in indent.c via a crafted file.(CVE-2023-40305)",
+  "cves": [
+    {
+      "id": "CVE-2023-40305",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40305",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/indent/indent-2.2.11-30_openEuler-SA-2024-1199.json
+++ b/cusas/I/indent/indent-2.2.11-30_openEuler-SA-2024-1199.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1199",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1199",
+  "title": "An update for indent is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "The indent program can be used to make code easier to read. It can also convert from one style of writing C to another. indent understands a substantial amount about the syntax of C, but it also attempts to cope with incomplete and misformed syntax.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in indent, a program for formatting C code. This issue may allow an attacker to trick a user into processing a specially crafted file to trigger a heap-based buffer overflow, causing the application to crash.(CVE-2024-0911)",
+  "cves": [
+    {
+      "id": "CVE-2024-0911",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0911",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/infinispan/config.json
+++ b/cusas/I/infinispan/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/infinispan/infinispan-8.2.4-13_openEuler-SA-2024-1667.json
+++ b/cusas/I/infinispan/infinispan-8.2.4-13_openEuler-SA-2024-1667.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1667",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1667",
+  "title": "An update for infinispan is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Important",
+  "description": "Infinispan is an extremely scalable, highly available data grid platform - 100% open source, and written in Java. The purpose of Infinispan is to expose a data structure that is highly concurrent, designed ground-up to make the most of modern multi-processor/multi-core architectures while at the same time providing distributed cache capabilities.  At its core Infinispan exposes a Cache interface which extends java.util.Map. It is also optionally is backed by a peer-to-peer network architecture to distribute state efficiently around a data grid.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.(CVE-2019-10174)",
+  "cves": [
+    {
+      "id": "CVE-2019-10174",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10174",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/I/iniparser/config.json
+++ b/cusas/I/iniparser/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/iniparser/iniparser-4.1-4_openEuler-SA-2023-1388.json
+++ b/cusas/I/iniparser/iniparser-4.1-4_openEuler-SA-2023-1388.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1388",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1388",
+  "title": "An update for iniparser is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Moderate",
+  "description": "This modules offers parsing of ini files from the C level. See a complete documentation in HTML format, from this directory open the file html/index.html with any HTML-capable browser.\r\n\r\nSecurity Fix(es):\r\n\r\niniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.(CVE-2023-33461)",
+  "cves": [
+    {
+      "id": "CVE-2023-33461",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33461",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/intel-sgx-ssl/config.json
+++ b/cusas/I/intel-sgx-ssl/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/intel-sgx-ssl/intel-sgx-ssl-2.15.1-2_openEuler-SA-2022-1898.json
+++ b/cusas/I/intel-sgx-ssl/intel-sgx-ssl-2.15.1-2_openEuler-SA-2022-1898.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1898",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1898",
+  "title": "An update for intel-sgx-ssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "The Intel® Software Guard Extensions SSL (Intel® SGX SSL) cryptographic library is intended to provide cryptographic services for Intel® Software Guard Extensions (SGX) enclave applications. The Intel® SGX SSL cryptographic library is based on the underlying OpenSSL* Open Source project, providing a full-strength general purpose cryptography library. Supported OpenSSL version is 1.1.1l.\r\n\r\nSecurity Fix(es):\r\n\r\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)\r\n\r\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).(CVE-2022-0778)",
+  "cves": [
+    {
+      "id": "CVE-2022-0778",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0778",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/iperf3/config.json
+++ b/cusas/I/iperf3/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/I/iperf3/iperf3-3.10.1-2_openEuler-SA-2023-1497.json
+++ b/cusas/I/iperf3/iperf3-3.10.1-2_openEuler-SA-2023-1497.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1497",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1497",
+  "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.(CVE-2023-38403)",
+  "cves": [
+    {
+      "id": "CVE-2023-38403",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38403",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/iperf3/iperf3-3.16-1_openEuler-SA-2024-1418.json
+++ b/cusas/I/iperf3/iperf3-3.16-1_openEuler-SA-2024-1418.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1418",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1418",
+  "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.(CVE-2023-7250)",
+  "cves": [
+    {
+      "id": "CVE-2023-7250",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7250",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/I/iperf3/iperf3-3.16-3_openEuler-SA-2024-1604.json
+++ b/cusas/I/iperf3/iperf3-3.16-3_openEuler-SA-2024-1604.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1604",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1604",
+  "title": "An update for iperf3 is now available for openEuler-20.03-LTS-SP1,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP3",
+  "severity": "Low",
+  "description": "Iperf is a tool for active measurements of the maximum achievable bandwidth on IP networks. It supports tuning of various parameters related to timing, protocols, and buffers.\r\n\r\nSecurity Fix(es):\r\n\r\niPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in \"Everlasting ROBOT: the Marvin Attack\" by Hubert Kario.(CVE-2024-26306)",
+  "cves": [
+    {
+      "id": "CVE-2024-26306",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26306",
+      "severity": "Low"
+    }
+  ]
+}
--- a/cusas/I/isula-build/config.json
+++ b/cusas/I/isula-build/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/Open-iSCSI/config.json
+++ b/cusas/O/Open-iSCSI/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/OpenEXR/OpenEXR-3.1.5-1_openEuler-SA-2022-1639.json
+++ b/cusas/O/OpenEXR/OpenEXR-3.1.5-1_openEuler-SA-2022-1639.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1639",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1639",
+  "title": "An update for OpenEXR is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light and Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\nOpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1::LineCompositeTask::execute (called from IlmThread_3_1::NullThreadPoolProvider::addTask and IlmThread_3_1::ThreadPool::addGlobalTask). NOTE: db217f2 may be inapplicable.(CVE-2021-45942)",
+  "cves": [
+    {
+      "id": "CVE-2021-45942",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45942",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/OpenEXR/OpenEXR-3.1.5-2_openEuler-SA-2024-1215.json
+++ b/cusas/O/OpenEXR/OpenEXR-3.1.5-2_openEuler-SA-2024-1215.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1215",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1215",
+  "title": "An update for OpenEXR is now available for openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nDue to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability. This issue was resolved as of versions v3.2.2 and v3.1.12 of the affected library.\n(CVE-2023-5841)",
+  "cves": [
+    {
+      "id": "CVE-2023-5841",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5841",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/O/OpenEXR/OpenEXR-3.1.5-3_openEuler-SA-2024-1549.json
+++ b/cusas/O/OpenEXR/OpenEXR-3.1.5-3_openEuler-SA-2024-1549.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1549",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1549",
+  "title": "An update for OpenEXR is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "OpenEXR is a high dynamic-range (HDR) image file format originally developed by Industrial Light & Magic for use in computer imaging applications.\r\n\r\nSecurity Fix(es):\r\n\r\nAn issue in Academy Software Foundation openexr v.3.2.3 and before allows a local attacker to cause a denial of service (DoS) via the convert function of exrmultipart.cpp.(CVE-2024-31047)",
+  "cves": [
+    {
+      "id": "CVE-2024-31047",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31047",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/OpenEXR/config.json
+++ b/cusas/O/OpenEXR/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/obs-server/config.json
+++ b/cusas/O/obs-server/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/open-vm-tools/config.json
+++ b/cusas/O/open-vm-tools/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/open-vm-tools/open-vm-tools-12.0.5-3_openEuler-SA-2023-1629.json
+++ b/cusas/O/open-vm-tools/open-vm-tools-12.0.5-3_openEuler-SA-2023-1629.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1629",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1629",
+  "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nA fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.(CVE-2023-20867)\r\n\r\nA malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-20900)",
+  "cves": [
+    {
+      "id": "CVE-2023-20900",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20900",
+      "severity": "Low"
+    }
+  ]
+}
--- a/cusas/O/open-vm-tools/open-vm-tools-12.0.5-4_openEuler-SA-2023-1831.json
+++ b/cusas/O/open-vm-tools/open-vm-tools-12.0.5-4_openEuler-SA-2023-1831.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1831",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1831",
+  "title": "An update for open-vm-tools is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "The  project is an open source implementation of VMware Tools. It is a suite of open source virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines. This package contains only the core user-space programs and libraries of .\r\n\r\nSecurity Fix(es):\r\n\r\nVMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted  Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html  in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged  Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .(CVE-2023-34058)\r\n\r\nopen-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the \n/dev/uinput file descriptor allowing them to simulate user inputs.(CVE-2023-34059)",
+  "cves": [
+    {
+      "id": "CVE-2023-34059",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34059",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openblas/config.json
+++ b/cusas/O/openblas/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openjpeg/config.json
+++ b/cusas/O/openjpeg/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openjpeg2/config.json
+++ b/cusas/O/openjpeg2/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openjpeg2/openjpeg2-2.4.0-6_openEuler-SA-2022-1678.json
+++ b/cusas/O/openjpeg2/openjpeg2-2.4.0-6_openEuler-SA-2022-1678.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1678",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1678",
+  "title": "An update for openjpeg2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "OpenJPEG is an open-source JPEG 2000 codec written in C language. It has been developed in order to promote the use of JPEG 2000, a still-image compression standard from the Joint Photographic Experts Group (JPEG). Since April 2015, it is officially recognized by ISO/IEC and ITU-T as a JPEG 2000 Reference Software.\r\n\nSecurity Fix(es):\r\n\r\nA flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.(CVE-2022-1122)",
+  "cves": [
+    {
+      "id": "CVE-2022-1122",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1122",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openldap/config.json
+++ b/cusas/O/openldap/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openldap/openldap-2.6.0-3_openEuler-SA-2022-1654.json
+++ b/cusas/O/openldap/openldap-2.6.0-3_openEuler-SA-2022-1654.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1654",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1654",
+  "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nIn OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.(CVE-2022-29155)",
+  "cves": [
+    {
+      "id": "CVE-2022-29155",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29155",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/O/openldap/openldap-2.6.0-5_openEuler-SA-2023-1334.json
+++ b/cusas/O/openldap/openldap-2.6.0-5_openEuler-SA-2023-1334.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1334",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1334",
+  "title": "An update for openldap is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Important",
+  "description": "OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.\r\n\r\nSecurity Fix(es):\r\n\r\nA vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.(CVE-2023-2953)",
+  "cves": [
+    {
+      "id": "CVE-2023-2953",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2953",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/opensc/config.json
+++ b/cusas/O/opensc/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/opensc/opensc-0.21.0-6_openEuler-SA-2022-1664.json
+++ b/cusas/O/opensc/opensc-0.21.0-6_openEuler-SA-2022-1664.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1664",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1664",
+  "title": "An update for opensc is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver and macOS Tokend.\r\n\r\nSecurity Fix(es):\r\n\r\nA heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.(CVE-2021-42778)\n\nA use after return issue was found in Opensc before version 0.22.0 in insert_pin function that could potentially crash programs using the library.(CVE-2021-42780)\n\nStack buffer overflow issues were found in Opensc before version 0.22.0 in various places that could potentially crash programs using the library.(CVE-2021-42782)",
+  "cves": [
+    {
+      "id": "CVE-2021-42782",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42782",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssh/config.json
+++ b/cusas/O/openssh/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openssh/openssh-8.8p1-17_openEuler-SA-2023-1063.json
+++ b/cusas/O/openssh/openssh-8.8p1-17_openEuler-SA-2023-1063.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1063",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1063",
+  "title": "An update for openssh is now available for openEuler-22.03-LTS",
+  "severity": "Moderate",
+  "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be triggered by an unauthenticated attacker in the default configuration. One third-party report states \"remote code execution is theoretically possible.\"(CVE-2023-25136)",
+  "cves": [
+    {
+      "id": "CVE-2023-25136",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25136",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssh/openssh-8.8p1-22_openEuler-SA-2023-1480.json
+++ b/cusas/O/openssh/openssh-8.8p1-22_openEuler-SA-2023-1480.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1480",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1480",
+  "title": "An update for openssh is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol.\r\n\r\nSecurity Fix(es):\r\n\r\nThe PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.(CVE-2023-38408)",
+  "cves": [
+    {
+      "id": "CVE-2023-38408",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38408",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openssh/openssh-8.8p1-23_openEuler-SA-2023-1977.json
+++ b/cusas/O/openssh/openssh-8.8p1-23_openEuler-SA-2023-1977.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1977",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1977",
+  "title": "An update for openssh is now available for openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenSSH is the premier connectivity tool for remote login with the SSH protocol. \\ It encrypts all traffic to eliminate eavesdropping, connection hijacking, and \\ other attacks. In addition, OpenSSH provides a large suite of secure tunneling \\ capabilities, several authentication methods, and sophisticated configuration options.\r\n\r\nSecurity Fix(es):\r\n\r\nThe SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.(CVE-2023-48795)\r\n\r\nIn ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.(CVE-2023-51385)",
+  "cves": [
+    {
+      "id": "CVE-2023-51385",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51385",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/config.json
+++ b/cusas/O/openssl/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openssl/openssl-1.1.1m-18_openEuler-SA-2023-1092.json
+++ b/cusas/O/openssl/openssl-1.1.1m-18_openEuler-SA-2023-1092.json
--- a/cusas/O/openssl/openssl-1.1.1m-19_openEuler-SA-2023-1207.json
+++ b/cusas/O/openssl/openssl-1.1.1m-19_openEuler-SA-2023-1207.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1207",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1207",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Important",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nA security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0464)\r\n\r\nApplications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.(CVE-2023-0465)\r\n\r\nThe function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.(CVE-2023-0466)",
+  "cves": [
+    {
+      "id": "CVE-2023-0466",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0466",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-20_openEuler-SA-2023-1356.json
+++ b/cusas/O/openssl/openssl-1.1.1m-20_openEuler-SA-2023-1356.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1356",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1356",
+  "title": "An update for openssl is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nIssue summary: Processing some specially crafted ASN.1 object identifiers or\ndata containing them may be very slow.\n\nImpact summary: Applications that use OBJ_obj2txt() directly, or use any of\nthe OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message\nsize limit may experience notable to very long delays when processing those\nmessages, which may lead to a Denial of Service.\n\nAn OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -\nmost of which have no size limit.  OBJ_obj2txt() may be used to translate\nan ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL\ntype ASN1_OBJECT) to its canonical numeric text form, which are the\nsub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by\nperiods.\n\nWhen one of the sub-identifiers in the OBJECT IDENTIFIER is very large\n(these are sizes that are seen as absurdly large, taking up tens or hundreds\nof KiBs), the translation to a decimal number in text may take a very long\ntime.  The time complexity is O(n^2) with 'n' being the size of the\nsub-identifiers in bytes (*).\n\nWith OpenSSL 3.0, support to fetch cryptographic algorithms using names /\nidentifiers in string form was introduced.  This includes using OBJECT\nIDENTIFIERs in canonical numeric text form as identifiers for fetching\nalgorithms.\n\nSuch OBJECT IDENTIFIERs may be received through the ASN.1 structure\nAlgorithmIdentifier, which is commonly used in multiple protocols to specify\nwhat cryptographic algorithm should be used to sign or verify, encrypt or\ndecrypt, or digest passed data.\n\nApplications that call OBJ_obj2txt() directly with untrusted data are\naffected, with any version of OpenSSL.  If the use is for the mere purpose\nof display, the severity is considered low.\n\nIn OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,\nCMS, CMP/CRMF or TS.  It also impacts anything that processes X.509\ncertificates, including simple things like verifying its signature.\n\nThe impact on TLS is relatively low, because all versions of OpenSSL have a\n100KiB limit on the peer's certificate chain.  Additionally, this only\nimpacts clients, or servers that have explicitly enabled client\nauthentication.\n\nIn OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,\nsuch as X.509 certificates.  This is assumed to not happen in such a way\nthat it would cause a Denial of Service, so these versions are considered\nnot affected by this issue in such a way that it would be cause for concern,\nand the severity is therefore considered low.(CVE-2023-2650)",
+  "cves": [
+    {
+      "id": "CVE-2023-2650",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2650",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-21_openEuler-SA-2023-1466.json
+++ b/cusas/O/openssl/openssl-1.1.1m-21_openEuler-SA-2023-1466.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1466",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1466",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus ('p' parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\r\n\r\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the '-check' option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3446)",
+  "cves": [
+    {
+      "id": "CVE-2023-3446",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-22_openEuler-SA-2023-1481.json
+++ b/cusas/O/openssl/openssl-1.1.1m-22_openEuler-SA-2023-1481.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1481",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1481",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\r\n\r\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\r\n\r\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\r\n\r\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\r\n\r\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.(CVE-2023-3817)",
+  "cves": [
+    {
+      "id": "CVE-2023-3817",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3817",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-24_openEuler-SA-2023-1821.json
+++ b/cusas/O/openssl/openssl-1.1.1m-24_openEuler-SA-2023-1821.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1821",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1821",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Moderate",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Generating excessively long X9.42 DH keys or checking\nexcessively long X9.42 DH keys or parameters may be very slow.\r\n\r\nImpact summary: Applications that use the functions DH_generate_key() to\ngenerate an X9.42 DH key may experience long delays.  Likewise, applications\nthat use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()\nto check an X9.42 DH key or X9.42 DH parameters may experience long delays.\nWhere the key or parameters that are being checked have been obtained from\nan untrusted source this may lead to a Denial of Service.\r\n\r\nWhile DH_check() performs all the necessary checks (as of CVE-2023-3817),\nDH_check_pub_key() doesn't make any of these checks, and is therefore\nvulnerable for excessively large P and Q parameters.\r\n\r\nLikewise, while DH_generate_key() performs a check for an excessively large\nP, it doesn't check for an excessively large Q.\r\n\r\nAn application that calls DH_generate_key() or DH_check_pub_key() and\nsupplies a key or parameters obtained from an untrusted source could be\nvulnerable to a Denial of Service attack.\r\n\r\nDH_generate_key() and DH_check_pub_key() are also called by a number of\nother OpenSSL functions.  An application calling any of those other\nfunctions may similarly be affected.  The other functions affected by this\nare DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().\r\n\r\nAlso vulnerable are the OpenSSL pkey command line application when using the\n\"-pubcheck\" option, as well as the OpenSSL genpkey command line application.\r\n\r\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\r\n\r\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.\r\n\r\n(CVE-2023-5678)",
+  "cves": [
+    {
+      "id": "CVE-2023-5678",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-26_openEuler-SA-2024-1147.json
+++ b/cusas/O/openssl/openssl-1.1.1m-26_openEuler-SA-2024-1147.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1147",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1147",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL\nto crash leading to a potential Denial of Service attack\r\n\r\nImpact summary: Applications loading files in the PKCS12 format from untrusted\nsources might terminate abruptly.\r\n\r\nA file in PKCS12 format can contain certificates and keys and may come from an\nuntrusted source. The PKCS12 specification allows certain fields to be NULL, but\nOpenSSL does not correctly check for this case. This can lead to a NULL pointer\ndereference that results in OpenSSL crashing. If an application processes PKCS12\nfiles from an untrusted source using the OpenSSL APIs then that application will\nbe vulnerable to this issue.\r\n\r\nOpenSSL APIs that are vulnerable to this are: PKCS12_parse(),\nPKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()\nand PKCS12_newpass().\r\n\r\nWe have also fixed a similar issue in SMIME_write_PKCS7(). However since this\nfunction is related to writing data we do not consider it security significant.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-0727)",
+  "cves": [
+    {
+      "id": "CVE-2024-0727",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0727",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-28_openEuler-SA-2024-1531.json
+++ b/cusas/O/openssl/openssl-1.1.1m-28_openEuler-SA-2024-1531.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1531",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1531",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL tookit and its related documentation.\r\n\r\nSecurity Fix(es):\r\n\r\nIssue summary: Some non-default TLS server configurations can cause unbounded\nmemory growth when processing TLSv1.3 sessions\r\n\r\nImpact summary: An attacker may exploit certain server configurations to trigger\nunbounded memory growth that would lead to a Denial of Service\r\n\r\nThis problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is\nbeing used (but not if early_data support is also configured and the default\nanti-replay protection is in use). In this case, under certain conditions, the\nsession cache can get into an incorrect state and it will fail to flush properly\nas it fills. The session cache will continue to grow in an unbounded manner. A\nmalicious client could deliberately create the scenario for this failure to\nforce a Denial of Service. It may also happen by accident in normal operation.\r\n\r\nThis issue only affects TLS servers supporting TLSv1.3. It does not affect TLS\nclients.\r\n\r\nThe FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL\n1.0.2 is also not affected by this issue.(CVE-2024-2511)",
+  "cves": [
+    {
+      "id": "CVE-2024-2511",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2511",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-5_openEuler-SA-2022-1673.json
+++ b/cusas/O/openssl/openssl-1.1.1m-5_openEuler-SA-2022-1673.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1673",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1673",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\n\nSecurity Fix(es):\n\nThe c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).(CVE-2022-1292)",
+  "cves": [
+    {
+      "id": "CVE-2022-1292",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1292",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-6_openEuler-SA-2022-1737.json
+++ b/cusas/O/openssl/openssl-1.1.1m-6_openEuler-SA-2022-1737.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1737",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1737",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nIn addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).(CVE-2022-2068)",
+  "cves": [
+    {
+      "id": "CVE-2022-2068",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2068",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/O/openssl/openssl-1.1.1m-8_openEuler-SA-2022-1833.json
+++ b/cusas/O/openssl/openssl-1.1.1m-8_openEuler-SA-2022-1833.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1833",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1833",
+  "title": "An update for openssl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.\r\n\r\nSecurity Fix(es):\r\n\r\nAES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn t written. In the special case of in place encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).(CVE-2022-2097)",
+  "cves": [
+    {
+      "id": "CVE-2022-2097",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2097",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openvpn/config.json
+++ b/cusas/O/openvpn/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openvpn/openvpn-2.5.5-2_openEuler-SA-2022-1612.json
+++ b/cusas/O/openvpn/openvpn-2.5.5-2_openEuler-SA-2022-1612.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1612",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1612",
+  "title": "An update for openvpn is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Critical",
+  "description": "OpenVPN can be extended through the --plugin option, which provides possibilities to add specialized authentication, user accounting, packet filtering and related features. These plug-ins need to be written in C and provides a more low-level and information rich access to similar features as the various script-hooks.\r\n\r\nSecurity Fix(es):\r\n\r\nOpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.(CVE-2022-0547)",
+  "cves": [
+    {
+      "id": "CVE-2022-0547",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0547",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/config.json
+++ b/cusas/O/openvswitch/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.0-22_openEuler-SA-2022-1778.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.0-22_openEuler-SA-2022-1778.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2022-1778",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-1778",
+  "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.(CVE-2021-3905)",
+  "cves": [
+    {
+      "id": "CVE-2021-3905",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3905",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.4-2_openEuler-SA-2023-1025.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.4-2_openEuler-SA-2023-1025.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1025",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1025",
+  "title": "An update for openvswitch is now available for openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Moderate",
+  "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer underflow in Organization Specific TLV was found in various versions of OpenvSwitch.(CVE-2022-4338)",
+  "cves": [
+    {
+      "id": "CVE-2022-4338",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4338",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.4-4_openEuler-SA-2023-1234.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.4-4_openEuler-SA-2023-1234.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1234",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1234",
+  "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Important",
+  "description": "Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.(CVE-2023-1668)",
+  "cves": [
+    {
+      "id": "CVE-2023-1668",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1668",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.4-5_openEuler-SA-2023-1732.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.4-5_openEuler-SA-2023-1732.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1732",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1732",
+  "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.(CVE-2023-5366)",
+  "cves": [
+    {
+      "id": "CVE-2023-5366",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5366",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.4-7_openEuler-SA-2024-1207.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.4-7_openEuler-SA-2024-1207.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1207",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1207",
+  "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Important",
+  "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.(CVE-2023-3966)",
+  "cves": [
+    {
+      "id": "CVE-2023-3966",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3966",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/openvswitch/openvswitch-2.12.4-8_openEuler-SA-2024-1384.json
+++ b/cusas/O/openvswitch/openvswitch-2.12.4-8_openEuler-SA-2024-1384.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1384",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1384",
+  "title": "An update for openvswitch is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Important",
+  "description": "Open vSwitch is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.\r\n\r\nSecurity Fix(es):\r\n\r\nAn integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.(CVE-2022-2639)",
+  "cves": [
+    {
+      "id": "CVE-2022-2639",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/optipng/config.json
+++ b/cusas/O/optipng/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/optipng/optipng-0.7.8-1_openEuler-SA-2023-1873.json
+++ b/cusas/O/optipng/optipng-0.7.8-1_openEuler-SA-2023-1873.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1873",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1873",
+  "title": "An update for optipng is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "OptiPNG is a PNG optimizer that recompresses image files to a smaller size, without losing any information. This program also converts external formats (BMP, GIF, PNM and TIFF) to optimized PNG, and performs PNG integrity checks and corrections.\r\n\r\nSecurity Fix(es):\r\n\r\nOptiPNG v0.7.7 was discovered to contain a global buffer overflow via the 'buffer' variable at gifread.c.(CVE-2023-43907)",
+  "cves": [
+    {
+      "id": "CVE-2023-43907",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43907",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/O/opusfile/config.json
+++ b/cusas/O/opusfile/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/O/opusfile/opusfile-0.11-5_openEuler-SA-2023-1062.json
+++ b/cusas/O/opusfile/opusfile-0.11-5_openEuler-SA-2023-1062.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1062",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1062",
+  "title": "An update for opusfile is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Important",
+  "description": "The opusfile library provides seeking, decode, and playback of Opus streams in the Ogg container (.opus files) including over http(s) on posix and windows systems. opusfile depends on libopus and libogg.The included opusurl library for http(s) access depends on opusfile and openssl.\r\n\r\nSecurity Fix(es):\r\n\r\nA null pointer dereference issue was discovered in functions op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows attackers to cause denial of service or other unspecified impacts.(CVE-2022-47021)",
+  "cves": [
+    {
+      "id": "CVE-2022-47021",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47021",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/a/A-Tune-Collector/atune-collector-1.1.0-8_openEuler-SA-2024-1273.json
+++ b/cusas/a/A-Tune-Collector/atune-collector-1.1.0-8_openEuler-SA-2024-1273.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1273",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1273",
+  "title": "An update for A-Tune-Collector is now available for openEuler-22.03-LTS",
+  "severity": "Important",
+  "description": "A-Tune-Collector is used to collect various system resources.\r\n\r\nSecurity Fix(es):\r\n\r\nWhen the get method in the sched.py file in the A-Tune-Collector software package is used to obtain the process ID, shell command combination and injection risks exist. This flaw could lead to remote arbitrary command execution.(CVE-2024-24897)",
+  "cves": [
+    {
+      "id": "CVE-2024-24897",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24897",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/a/A-Tune-Collector/config.json
+++ b/cusas/a/A-Tune-Collector/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/A-Tune/config.json
+++ b/cusas/a/A-Tune/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/activemq/activemq-5.15.16-1_openEuler-SA-2023-1778.json
+++ b/cusas/a/activemq/activemq-5.15.16-1_openEuler-SA-2023-1778.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1778",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1778",
+  "title": "An update for activemq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Critical",
+  "description": "The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\r\n\r\nApache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. \r\n\r\nUsers are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.(CVE-2023-46604)",
+  "cves": [
+    {
+      "id": "CVE-2023-46604",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46604",
+      "severity": "Critical"
+    }
+  ]
+}
--- a/cusas/a/activemq/activemq-5.16.7-1_openEuler-SA-2023-1925.json
+++ b/cusas/a/activemq/activemq-5.16.7-1_openEuler-SA-2023-1925.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1925",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1925",
+  "title": "An update for activemq is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "The most popular and powerful open source messaging and Integration Patterns server.\r\n\r\nSecurity Fix(es):\r\n\r\nOnce an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. \r\n\r\nIn details, in ActiveMQ configurations, jetty allows\norg.jolokia.http.AgentServlet to handler request to /api/jolokia\r\n\r\norg.jolokia.http.HttpRequestHandler#handlePostRequest is able to\ncreate JmxRequest through JSONObject. And calls to\norg.jolokia.http.HttpRequestHandler#executeRequest.\r\n\r\nInto deeper calling stacks,\norg.jolokia.handler.ExecHandler#doHandleRequest is able to invoke\nthrough refection.\r\n\r\nAnd then, RCE is able to be achieved via\njdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11.\r\n\r\n1 Call newRecording.\r\n\r\n2 Call setConfiguration. And a webshell data hides in it.\r\n\r\n3 Call startRecording.\r\n\r\n4 Call copyTo method. The webshell will be written to a .jsp file.\r\n\r\nThe mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia.\nA more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.\n(CVE-2022-41678)",
+  "cves": [
+    {
+      "id": "CVE-2022-41678",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41678",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/a/activemq/config.json
+++ b/cusas/a/activemq/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/aide/config.json
+++ b/cusas/a/aide/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/amanda/amanda-3.5.1-21_openEuler-SA-2023-1149.json
+++ b/cusas/a/amanda/amanda-3.5.1-21_openEuler-SA-2023-1149.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1149",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1149",
+  "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS and openEuler-22.03-LTS-SP1",
+  "severity": "Moderate",
+  "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\r\n\r\nSecurity Fix(es):\r\n\r\nA flaw was found in Amanda. The `runtar` SUID binary executes /usr/bin/tar as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37705)\r\n\r\nA flaw was found in Amanda. The `rundump` SUID binary executes /usr/sbin/dump as root without properly validating its arguments, possibly leading to escalation of privileges from the regular user \"amandabackup\" to root.(CVE-2022-37704)",
+  "cves": [
+    {
+      "id": "CVE-2022-37704",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37704",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/a/amanda/amanda-3.5.4-1_openEuler-SA-2023-1507.json
+++ b/cusas/a/amanda/amanda-3.5.4-1_openEuler-SA-2023-1507.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2023-1507",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1507",
+  "title": "An update for amanda is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2",
+  "severity": "Important",
+  "description": "AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar, dump) for backup and can back up a large number of workstations running multiple versions of Unix/Mac OS X/Linux/Windows.\n\nSecurity Fix(es):\n\nAMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.(CVE-2023-30577)",
+  "cves": [
+    {
+      "id": "CVE-2023-30577",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30577",
+      "severity": "Important"
+    }
+  ]
+}
--- a/cusas/a/amanda/config.json
+++ b/cusas/a/amanda/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/ansible/ansible-2.9.27-4_openEuler-SA-2024-1190.json
+++ b/cusas/a/ansible/ansible-2.9.27-4_openEuler-SA-2024-1190.json
@ -0,0 +1,14 @@
+{
+  "id": "openEuler-SA-2024-1190",
+  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1190",
+  "title": "An update for ansible is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1,openEuler-22.03-LTS-SP2 and openEuler-22.03-LTS-SP3",
+  "severity": "Moderate",
+  "description": "Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. %if 0 Provides:            ansible-python3 = - Obsoletes:           ansible-python3 < - BuildRequires:       python3-devel python3-setuptools BuildRequires:       python3-PyYAML python3-paramiko python3-crypto python3-packaging BuildRequires:       python3-pexpect python3-winrm BuildRequires:       git-core %if %with_docs BuildRequires:       python3-sphinx python3-sphinx-theme-alabaster asciidoc %endif BuildRequires:       python3-six python3-nose python3-pytest python3-pytest-xdist BuildRequires:       python3-pytest-mock python3-requests python3-coverage python3-mock BuildRequires:       python3-boto3 python3-botocore python3-passlib python3-jinja2 Requires:            python3-PyYAML python3-paramiko python3-crypto python3-setuptools python3-six Requires:            python3-jinja2 sshpass python3-jmespath %description Ansible is a radically simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. This package installs versions of ansible that execute on Python3. %endif\r\n\r\nSecurity Fix(es):\r\n\r\nAn information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.(CVE-2024-0690)",
+  "cves": [
+    {
+      "id": "CVE-2024-0690",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0690",
+      "severity": "Moderate"
+    }
+  ]
+}
--- a/cusas/a/ansible/config.json
+++ b/cusas/a/ansible/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/ant/config.json
+++ b/cusas/a/ant/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/aops-ceres/config.json
+++ b/cusas/a/aops-ceres/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/aops-zeus/config.json
+++ b/cusas/a/aops-zeus/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/cusas/a/apache-commons-compress/config.json
+++ b/cusas/a/apache-commons-compress/config.json
@ -0,0 +1,5 @@
+{
+  "upstream": "22.03-LTS",
+  "autobuild": true,
+  "fixed_version": ""
+}
--- a/Show More
+++ b/Show More